From eb96544e68f1a14a8232ae56613acd671f8ee6a0 Mon Sep 17 00:00:00 2001
From: Jesse Wierzbinski <contact@cpluspatch.com>
Date: Fri, 26 Jul 2024 19:26:35 +0200
Subject: [PATCH] fix(federation): :bug: Remove usage of Origin header during
 federation

---
 server/api/users/:uuid/inbox/index.ts | 40 +++++++++++++--------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/server/api/users/:uuid/inbox/index.ts b/server/api/users/:uuid/inbox/index.ts
index 78a5ecb7..656209f7 100644
--- a/server/api/users/:uuid/inbox/index.ts
+++ b/server/api/users/:uuid/inbox/index.ts
@@ -45,7 +45,6 @@ export const schemas = {
         signature: z.string(),
         date: z.string(),
         authorization: z.string().optional(),
-        origin: z.string(),
     }),
     body: z.any(),
 };
@@ -59,21 +58,10 @@ export default (app: Hono) =>
         zValidator("json", schemas.body, handleZodError),
         async (context) => {
             const { uuid } = context.req.valid("param");
-            const { signature, date, authorization, origin } =
+            const { signature, date, authorization } =
                 context.req.valid("header");
             const logger = getLogger(["federation", "inbox"]);
 
-            // Check if Origin is defederated
-            if (
-                config.federation.blocked.find(
-                    (blocked) =>
-                        blocked.includes(origin) || origin.includes(blocked),
-                )
-            ) {
-                // Pretend to accept request
-                return response(null, 201);
-            }
-
             const body: Entity = await context.req.valid("json");
 
             if (config.debug.federation) {
@@ -139,15 +127,27 @@ export default (app: Hono) =>
                 }
             }
 
+            const keyId = signature
+                .split("keyId=")[1]
+                .split(",")[0]
+                .replace(/"/g, "");
+            const sender = await User.resolve(keyId);
+
+            const origin = new URL(keyId).origin;
+
+            // Check if Origin is defederated
+            if (
+                config.federation.blocked.find(
+                    (blocked) =>
+                        blocked.includes(origin) || origin.includes(blocked),
+                )
+            ) {
+                // Pretend to accept request
+                return response(null, 201);
+            }
+
             // Verify request signature
             if (checkSignature) {
-                const keyId = signature
-                    .split("keyId=")[1]
-                    .split(",")[0]
-                    .replace(/"/g, "");
-
-                const sender = await User.resolve(keyId);
-
                 if (!sender) {
                     return errorResponse("Could not resolve keyId", 400);
                 }